CLAIMS 

What is claimed is: 

1 1 . A method for securing data in communications between a client and server using an 

2 unencrypted transfer protocol that does not encrypt a payload defined by the transfer 

3 protocol, the method comprising the computer-implemented steps of: 

4 selecting a subset from a set of data to be communicated between the client and the 

5 server in a particular payload of the unencrypted transfer protocol; 

6 determining a secret integer that is unique for the subset among a plurality of subsets 

7 in a plurality of payloads; 

8 based on the subset and the secret integer, generating encrypted data that is 

9 impractical for a device other than the client and the server to decrypt; and 

10 sending, from a sending device of the client and the server to a receiving device of the 

1 1 client and the server, in the particular payload, the encrypted data and clue 

12 information to determine, only at the client and the server, the secret integer 

1 3 for decrypting the encrypted data. 

12. A method as recited in Claim 1 , wherein the unencrypted transfer protocol is 
2 Hypertext Transfer Protocol (HTTP). 

13. A method as recited in Claim 1 , said step of determining a secret integer that is unique 

2 for the subset further comprising the steps of: 

3 generating a first integer using a random number generator; 
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4 determining a shared secret key to be shared with the receiving device based on the 

5 first integer and a first public key associated with the receiving device; and 

6 selecting the secret integer based on the shared secret key. 

1 4. A method as recited in Claim 3, said step of sending the information to determine the 

2 secret integer further comprising the steps of: 

3 determining a second public key associated with the sending device based on the first 

4 integer; and 

5 including the second public key in the information to determine the secret integer. 
6 

1 5. A method as recited in Claim 3, said step of sending the information to determine the 

2 secret integer further comprising the steps of: 

3 determining a plurality of second public keys associated with the sending device 

4 based on the first integer, wherein each of the second public keys is associated 

5 with one of a plurality of subsets from the set of data; and 

6 including the plurality of second public keys in the information to determine the 

7 secret integer. 

1 6. A method as recited in Claim 3, said step of setting the secret integer further 



2 comprising the step of applying a particular hash function to the shared secret key to generate 

3 the secret integer. 
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7. A method as recited in Claim 3, said step of generating encrypted data further 
comprising the step of performing an exclusive or (XOR) operation between corresponding 
bits of the subset and the secret integer to generate the encrypted data. 

8. A method as recited in Claim 1 , wherein: 

said step of determining the secret integer further comprises the step of applying a 

particular hash function a plurality of times to a shared secret key shared with 

the receiving device; and 
said step of sending the information to determine the secret integer further comprises 

the step of storing, as part of the clue information, data that indicates a number 

of times the particular hash function has been applied. 

9. A method as recited in Claim 8, said step of determining the secret integer further 
comprising the steps of: 

determining a first integer formed after the particular hash function is applied the 

number of times indicated in the information; 
determining a second integer formed after the particular hash function is applied 

fewer times than the number of times indicated in the information; and 
performing an exclusive or (XOR) operation between corresponding bits of the first 

integer and the second integer. 
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1 10. A method as recited in Claim 8, said step of determining the secret integer further 

2 comprising the steps of: 

3 determining a first integer formed after the particular hash function is applied the 

4 number of times indicated in the information; 

5 determining a second integer formed after a second hash function is applied for the 

6 number of times indicated in the information, wherein the second hash 

7 function is different from the particular hash function that is used to determine 

8 the first integer; and 

O 9 performing an exclusive or (XOR) operation between corresponding bits of the first 

Hi 10 integer and the second integer. 
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1 11. A method as recited in Claim 8, further comprising, before said step of determining 

2 the secret integer, performing the steps of: 

3 determining the shared secret key based on a particular communication between the 

4 client and the server; and 

5 storing the shared secret key in a secure data structure. 

1 12. A method as recited in Claim 1 , wherein the secret integer has a particular number of 

2 bits fixed for all subsets in all payloads communicated during a communication session 

3 between the client and the server. 
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1 13. A method as recited in Claim 1, wherein the secret integer has a number of bits that 

2 varies in accordance with lengths of payloads that are communicated during a communication 

3 session between the client and the server. 

1 14. A method for securing data in communications between a client and server using an 

2 unencrypted transfer protocol that does not encrypt a payload associated with the transport 

3 protocol, the method comprising the computer-implemented steps of: 

4 receiving, at a receiving device of the client and the server from a sending device of 

5 the client and the server, in a particular payload of the unencrypted transfer 

6 protocol, encrypted data and clue information to determine, only at the client 

7 and the server, a secret integer unique for the encrypted data in the particular 

8 payload among a plurality of subsets in a plurality of payloads; 

9 determining the secret integer based, at least in part, on the clue information; and 

1 0 based on the secret integer, decrypting the encrypted data to generate a subset of data 

11 to be communicated between client and server. 

1 15. A method as recited in Claim 1 4, wherein the unencrypted transfer protocol is the 

2 Hypertext Transfer Protocol (HTTP). 

1 16. A method as recited in Claim 14, said step of determining the secret integer further 

2 comprising the steps of: 

3 based on the clue information, determining a shared secret key shared with the 

4 sending device; and 
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generating the secret integer based on the shared secret key. 



1 17. A method as recited in Claim 1 6, said step of generating the secret integer further 

2 comprising the step of applying a particular hash function to the shared secret key to generate 

3 the secret integer. 

1 18. A method as recited in Claim 1 4, wherein: 



2 the method further comprises the steps of 

3 determining a shared secret key based on a particular communication between 

4 the client and the server, and 

5 storing the shared secret key in a secure data structure; and 

6 the clue information indicates a number of times a particular hash function is applied 

7 to the shared secret key in generating the secret integer. 



1 19. A method as recited in Claim 1 8, said step of determining the secret integer further 

2 comprising the step of causing the particular hash function to be applied the number of times 

3 indicated by the clue information to the shared secret key: 

1 20. A method as recited in Claim 1 9, said step of determining the secret integer further 

2 comprising the steps of: 



3 determining a first integer formed after the particular hash function is applied the 

4 number of times indicated by the clue information; 

5 determining a second integer formed after the particular hash function is applied 

6 fewer times than the number of times indicated by the clue information; and 
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7 performing an exclusive or (XOR) operation between corresponding bits of the first 

8 integer and the second integer. 

1 21. A method as recited in Claim 19, said step of determining the secret integer further 

2 comprising the steps of: 

3 determining a first integer formed after the particular hash function is applied the 

4 number of times indicated in the information; 

5 determining a second integer formed after a second hash function is applied for the 

6 number of times indicated in the information, wherein the second hash 

7 function is different from the particular hash function that is used to determine 

8 the first integer; and 

9 performing an exclusive or (XOR) operation between corresponding bits of the first 
1 0 integer and the second integer. 



1 22. A method as recited in Claim 14, said step of decrypting the encrypted data further 

2 comprising the step of performing an exclusive or (XOR) operation between corresponding 

3 bits of the encrypted data and the secret integer to generate the subset of data. 

1 23. A method as recited in Claim 14, wherein the secret integer has a particular number of 

2 bits fixed for all subsets in all payloads communicated during a communication session 

3 between the client and the server. 
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24. A computer-readable medium carrying one or more sequences of instructions for 
securing data in communications between a client and server using an unencrypted transfer 
protocol that does not encrypt a payload defined by the transport protocol, which instructions, 
when executed by one or more processors, cause the one or more processors to carry out the 
steps of: 

selecting a subset from a set of data to be communicated between the client and the 
server in a particular payload of the unencrypted transfer protocol; 

determining a secret integer that is unique for the subset among a plurality of subsets 
in a plurality of payloads; 

based on the subset and the secret integer, generating encrypted data that is practically 
unintelligible to a device other than the client and the server; and 

sending, from a sending device of the client and the server to a receiving device of the 
client and the server, in the particular payload, the encrypted data and 
information to determine, only at the client and the server, the secret integer 
for decrypting the encrypted data. 
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1 25. A computer-readable medium carrying one or more sequences of instructions for 

2 securing data in communications between a client and server using an unencrypted transfer 

3 protocol that does not encrypt a payload defined by the transport protocol, which instructions, 

4 when executed by one or more processors, cause the one or more processors to carry out the 

5 steps of: 



6 receiving, at a receiving device of the client and the server from a sending device of 

7 the client and the server, in a particular payload of the unencrypted transfer 

8 protocol, encrypted data and information to determine, only at the client and 

9 the server, a secret integer unique for the encrypted data in the particular 

I o payload among a plurality of subsets in a plurality of payloads; 

I I determining the secret integer based, at least in part, on the information; and 

1 2 based on the secret integer, decrypting the encrypted data to generate a subset of data 

13 to be communicated between client and server. 



1 26. An apparatus for securing data in communications between a client and server using 

2 an unencrypted transfer protocol that does not encrypt a payload defined by the transport 

3 protocol, comprising: 



4 means for selecting a subset from a set of data to be communicated between the client 

5 and the server in a particular payload of the unencrypted transfer protocol; 

6 means for determining a secret integer that is unique for the subset among a plurality 

7 of subsets in a plurality of payloads; 

8 means for generating, based on the subset and the secret integer, encrypted data that is 

9 practically unintelligible to a device other than the client and the server; and 
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means for sending to a receiving device of the client and the server, in the particular 
payload, the encrypted data and information to determine, only at the client 
and the server, the secret integer for decrypting the encrypted data. 



27. An apparatus for securing data in communications between a client and server using 
an unencrypted transfer protocol that does not encrypt a payload defined by the transport 
protocol, comprising: 

means for receiving, at a receiving device of the client and the server from a sending 
device of the client and the server, in a particular payload of the unencrypted 
transfer protocol, encrypted data and information to determine, only at the 
client and the server, a secret integer unique for the encrypted data in the 
particular payload among a plurality of subsets in a plurality of payloads; 

means for determining the secret integer based, at least in part, on the information; 
and 

means for decrypting the encrypted data, based on the secret integer, to generate a 
subset of data to be communicated between client and server. 

28. An apparatus for securing data in communications between a client and server using 
an unencrypted transfer protocol that does not encrypt a payload defined by the transport 
protocol, comprising: 

a network interface that is coupled to the data network for sending one or more packet 
flows thereto; 
a processor; 
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7 one or more stored sequences of instructions which, when executed by the processor, 

8 cause the processor to carry out the steps of: 

9 selecting a subset from a set of data to be communicated between the client 

1 0 and the server in a particular payload of the unencrypted transfer 

1 1 protocol; 

12 determining a secret integer that is unique for the subset among a plurality of 

1 3 subsets in a plurality of payloads; 

14 based on the subset and the secret integer, generating encrypted data that is 

1 5 practically unintelligible to a device other than the client and the 

16 server; and 

1 7 sending, to a receiving device of the client and the server, in the particular 

18 payload, the encrypted data and information to determine, only at the 

1 9 client and the server, the secret integer for decrypting the encrypted 

20 data. 

1 29. An apparatus for securing data in communications between a client and server using 

2 an unencrypted transfer protocol that does not encrypt a payload defined by the transport 

3 protocol, comprising: 

4 a network interface that is coupled to the data network for receiving one or more 

5 packet flows therefrom; 

6 a processor; 

7 one or more stored sequences of instructions which, when executed by the processor, 

8 cause the processor to carry out the steps of: 
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receiving, from a sending device of the client and the server, in a particular 
payload of the unencrypted transfer protocol, encrypted data and 
information to determine, only at the client and the server, a secret 
integer unique for the encrypted data in the particular payload among a 
plurality of subsets in a plurality of payloads; 
determining the secret integer based, at least in part, on the information; and 
based on the secret integer, decrypting the encrypted data to generate a subset 
of data to be communicated between client and server. 
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